TTL of session at hardware FortiGate involves issue when failover at another Fortigate VM cluster b
Hi We are trying to deploy hub-and-spoke topology using Fortinet devices.
We are using two virtual FortiGates (VM) in FGCP cluster (active\passive) as a hub. And one hardware FortiGate-40F as a spoke. We configured IPsec (using Dial-up approach) and BGP as a routing protocol over IPsec tunnels.
Our hub located in on-premise data center and it is deployed on VMware ESXI. Hub is located behind two hardware firewalls FortiGate 3001F (also in active\passive FGCP cluster). Hub is going to the internet using NAT which is configured at FortiGate 3001F. Spoke is also doesn't have real IP and it is located also behind provider NAT.
In this scheme we have some problem related to the failover at VM Hub. The issue is: When we do failover at VM Hub (using CLI command exe ha failover set 1 - for test failover process). We lose connectivity to our spoke. Our IPsec tunnel is down (after failover) and it takes much time to restore tunnel + takes some additional time for BGP convergence.
After investigation we find that if after failover we clear related session on our FortiGate 3001F (or if we shutdown/no shutdown related interface) - then the tunnel is created quickly (or even doesn't flap). That is why we suppose that the problem is in FortiGate 3001F (or in general in our scheme in DC).
How can we avoid this issue when failover happens?
You can enable the syncing the esp seq no in Ipsec phase1-interface configuration. If it really required for a quick failover. But at the same time this will also increase the traffic on HA and load on hasync process.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.